7.

Use mod_security and mod_evasive Modules to

Secure Apache
These two modules “mod_security” and “mod_evasive” are very popular
modules of Apache in terms of security.
Mod_security
Where mod_security works as a firewall for our web applications and allows us
to monitor traffic on a real time basis. It also helps us to protect our websites or
web server from brute force attacks. You can simply installmod_security on your
server with the help of your default package installers.
Install mod_security on Ubuntu/Debian

$ sudo apt-get install libapache2-modsecurity

$ sudo a2enmod mod-security

$ sudo /etc/init.d/apache2 force-reload

Install mod_security on RHEL/CentOS/Fedora/

# yum install mod_security

# /etc/init.d/httpd restart

Mod_evasive
mod_evasive works very efficiently, it takes one request to process and processes
it very well. It prevents DDOS attacks from doing as much damage. This feature
of mod_evasive enables it to handle the HTTP brute
forceand Dos or DDos attack. This module detects attacks with three methods.
 If so many requests come to a same page in a few times per second.
  If any child process trying to make more than 50 concurrent requests.
 If any IP still trying to make new requests when its temporarily blacklisted.
mod_evasive can be installed directly from the source. Here, we have an
Installation and setup guide of these modules which will help you to set up these
Apache modules in your Linux box.
 Protect Apache using Mod_Security and Mod_evasive
8. Disable Apache’s following of Symbolic Links
By default Apache follows symlinks, we can turn off this feature
with FollowSymLinks with Options directive. And to do so we need to make the
following entry in main configuration file.

Options -FollowSymLinks

And, if any particular user or website need FollowSymLinks enable, we can

simply write a rule in “.htaccess” file from that website.

# Enable symbolic links

Options +FollowSymLinks

Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should
be present in the main configuration globally.
9. Turn off Server Side Includes and CGI
Execution
We can turn off server side includes (mod_include) and CGI execution if not
needed and to do so we need to modify main configuration file.

Options -Includes
Options -ExecCGI

We can do this for a particular directory too with Directory tag. Here In this
example, we are turning off Includes and Cgi file executions for
“/var/www/html/web1” directory.

<Directory "/var/www/html/web1">

Options -Includes -ExecCGI

</Directory>

Here are some other values with can be turned On or off with Options directive.
 Options All – To enable All options at once. This is the default value, If you
don’t want specify any values explicitly in Apache conf file or .htaccess.
 Options IncludesNOEXEC – This option allows server side includes without
the execute permission to a command or cgi files.
 Options MultiViews – Allows content negotiated multiviews with
mod_negotiation module.
 Options SymLinksIfOwnerMatch – It’s similar to FollowSymLinks. But, this
will follow only when the owner is the same between the link and the
original directory to which it is linked.